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Description 


The NCSC is aware of an issue with falcon agent which may cause issues when booting machines. Symp- 
toms include hosts experiencing a bugcheck or bluescreen error related to Falcon Sensor. CrowdStrike 
are actively working on a fix and there is no need to contact support; a public statement by CrowdStrike 
can be found at the following link: https: //www.crowdstrike.com/blog/statement-on-windows-se 
nsor-update/. Further information: 


¢ Windows hosts which have not been impacted do not require any action as the problematic channel 
file has been reverted. 

¢ Windows hosts which are brought online after 0527 UTC will also not be impacted 

* Hosts running Windows7/2008 R2 are not impacted. 

¢ This issue is not impacting Mac or Linux-based hosts 

* Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. 

« Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. 


Current Action 


CrowdStrike have identified a content deployment related to this issue and reverted those changes. If 
hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps 
can be used to workaround this issue. 


Workaround Steps 


Workaround Steps for individual hosts: 


¢ Boot Windows into Safe Mode or the Windows Recovery Environment 
— Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking 


can help remediation. 
« Navigate to 


C:\Windows\System32\drivers\CrowdStrike 


¢ Locate the file matching “C-00000291*.sys”, and delete it. 


¢ Boot the host normally. 
— Note: Bitlocker-encrypted hosts may require a recovery key. 


Workaround Steps for public cloud or similar environment including virtual: 


* Option 1 
— Detach the operating system disk volume from the impacted virtual server 
— Create a snapshot or backup of the disk volume before proceeding further as a precaution 
against unintended changes 
— Attach/mount the volume to to a new virtual server 
— Navigate to 


2407190120-NCSC TLP-CLEAR 


C: \Windows\System32\drivers\CrowdStrike 


— Locate the file matching “C-00000291*.sys”, and delete it. 
— Detach the volume from the new virtual server 
— Reattach the fixed volume to the impacted virtual server 


¢ Option 2 
— Roll back to a snapshot before 0409 UTC. 
AWS-specific documentation: 


* To attach an EBS volume to an instance: https: //docs.aws.amazon.com/ebs/latest/usergui 
de/ebs-attaching-volume.html#:~:text=To/20attach/%,20an420EBS/,20volume,and/20choo 
se/20Actions/2C/,20Attach/20volume 

¢ Detach an Amazon EBS volume from an instance: https: //docs.aws.amazon.com/ebs/latest 
/userguide/ebs-detaching-volume. html 


Azure environments: 


* Please review https: //azure.status.microsoft/en-gb/status 


Bitlocker recovery-related KBs: 


BitLocker recovery in Microsoft Azure: https: //www.crowdstrike.com/wp-content/uploads/2 
024/07/BitLocker-recovery-in-Microsoft- Azure. pdf 

BitLocker recovery in Microsoft environments using SCCM: https://www.crowdstrike.com/wp 
-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-SC 
CM. pdf 

BitLocker recovery in Microsoft environments using Active Directory and GPOs: https://www.cr 
owdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-envir 
onments-using-Active-Directory-and-GPOs. pdf 

BitLocker recovery in Microsoft environments using lvanti Endpoint Manager: https://www. crow 
dstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environ 
ments-using-Ivanti-Endpoint-Manager . pdf 


General Awareness 


Increased Phishing Attempts During IT Outages 

Please be aware of opportunistic phishing attempts culminating from this Global IT outage event. Be 
extra cautious of emails, calls or texts claiming to be from IT support. Always verify the sender’s details 
and never click on links or open attachments provided through unexpected channels. 


DISCLAIMER: This document is provided “as is” without war- 
ranty of any kind, expressed or implied, including, but not lim- 
ited to, the implied warranty of fitness for a particular purpose. 
NCSC-IE does not endorse any commercial product or service, 
referenced in this document or otherwise. 
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